Skip to content

Latest commit

 

History

History
109 lines (65 loc) · 3.22 KB

README.md

File metadata and controls

109 lines (65 loc) · 3.22 KB

IAM

Manage Data.gov sandbox access through Infrastructure as Code.

Goals

  • Manage IAM users and access using Infrastructure as Code
  • Consolidate policy definitions in a single, easy to audit, location
  • Manage both human users and machine accounts
  • Automatically apply changes through GH workflow

Features

  • Enforce MFA on all human users
  • Create machine accounts for continuous deployment
  • New users can sign in with temporary password

Usage

Changes are applied automatically through continuous deployment. As part of the PR review, you should check that terraform plan includes only expected changes.

The main branch will automatically apply changes.

New users

Create a new user module within users.tf. You can copy from an existing resource. Make sure the user is in the developers group which enforces MFA.

module "firstname_lastname" {
  source  = "./user"
  name = "firstname.lastname@gsa.gov"
  groups = ["developers"]
}

Once applied, request that an admin log into IAM to enable console access and set a temporary password for the user.

Screenshot showing how to enable IAM console access

At this point, the user can login with the temporary password. From the AWS console, click their username -> My Security Credentials. They will have to enable MFA and change their password before they can do anything else.

Note: the new user may have to sign out and back in again.

Removing a user

Remove the user's entry from users.tf.

Development

Requirements

These tools are available through your package manager, or through pip.

Setup AWS credentials

All developers are in the developers IAM group which enforces access through multi-factor authentication (MFA). You must first get temporary credentials to use with Terraform.

First, copy env.sample to .env, customize it with your AWS access key. AWS_MFA_DEVICE_ARN should be set with your MFA arn. This can be found on the "My Security Credentials" page in the AWS console. Then source these environment variables.

$ source .env

You'll be prompted for your MFA code. Enter it without any spaces when prompted.

These credentials are good for 12 hours.

First-time setup

Create the s3 bucket (datagov-terraform-state) to hold the terraform state defined in main.tf.

Manually create the IAM CI deploy user (datagov-ci) for use with CI. An appropriate terraform-managed policy will be attached to this user.

The first execution of iam should be done manually with admin permissions.

$ terraform init
$ terraform apply

Once provisioned, the appropriate permissions will be attached to the datagov-ci user and execution of the other projects can be done via CI/CD.

History

This repository was split out from GSA/datagov-infrastructure-live.